Cookies are small pieces of data sent from web sites to web browsers, which contains various information used to identify users, or store any information related to that particular website.

HTTPS Cookie Injection Vulnerability

Whenever a website (you have visited) wants to set a cookie in your browser, it passes a header named “Set-Cookie” with the parameter name, its value and some options, including cookie expiration time and domain name (for which it is valid).

It is also important to note that HTTP based websites does not encrypt the headers in any way, and to solve this issue websites use HTTPS cookies with "secure flag", which indicates that the cookies must be sent (from browser to server) over a secure HTTPS connection.

However, the researchers found that some major web browsers accept cookies via HTTPS, without even verifying the source of the HTTPS cookies (cookie forcing), allowing attackers with man-in-the-middle position on a plain-text HTTP browsing session to inject cookies that will be used for secure HTTPS encrypted sessions.

For an unprotected browser, an attacker can set HTTPS cookie masquerading as another site (example.com) and override the real HTTPS cookie in such a way that even the user might not realise it's a fake while looking through their cookie list.

Now, this malicious HTTPS cookie is controlled by the attacker, thus being able to intercept and grab private session information.

The issue was first revealed at the 24th USENIX Security Symposium in Washington in August when researchers presented their paper that said that cookie injection attacks are possible with major websites and popular open source applications including…

Affected Browsers:

The Affected major web browsers includes previous versions of:

Apple’s Safari

Mozilla’s Firefox

Google’s Chrome

Microsoft’s Internet Explorer

Microsoft’s Edge

Opera

However, the good news is that the vendors have now fixed the issue. So, if you want to protect yourself from this kind of cookie injection MitM (Man-in-the-Middle) attack vectors, upgrade to the latest versions of these web browsers.